commit | author | age
|
d9c4cb
|
1 |
.. _qtut_authorization: |
SP |
2 |
|
b1b922
|
3 |
=========================================== |
PE |
4 |
21: Protecting Resources With Authorization |
|
5 |
=========================================== |
|
6 |
|
a5e89f
|
7 |
Assign security statements to resources describing the permissions required to |
SP |
8 |
perform an operation. |
|
9 |
|
b1b922
|
10 |
|
PE |
11 |
Background |
|
12 |
========== |
|
13 |
|
a5e89f
|
14 |
Our application has URLs that allow people to add/edit/delete content via a web |
SP |
15 |
browser. Time to add security to the application. Let's protect our add/edit |
|
16 |
views to require a login (username of ``editor`` and password of ``editor``). |
|
17 |
We will allow the other views to continue working without a password. |
|
18 |
|
b1b922
|
19 |
|
PE |
20 |
Objectives |
|
21 |
========== |
|
22 |
|
a5e89f
|
23 |
- Introduce the Pyramid concepts of authentication, authorization, permissions, |
SP |
24 |
and access control lists (ACLs). |
b1b922
|
25 |
|
a5e89f
|
26 |
- Make a :term:`root factory` that returns an instance of our class for the top |
SP |
27 |
of the application. |
b1b922
|
28 |
|
a5e89f
|
29 |
- Assign security statements to our root resource. |
b1b922
|
30 |
|
a5e89f
|
31 |
- Add a permissions predicate on a view. |
b1b922
|
32 |
|
a5e89f
|
33 |
- Provide a :term:`Forbidden view` to handle visiting a URL without adequate |
SP |
34 |
permissions. |
|
35 |
|
b1b922
|
36 |
|
PE |
37 |
Steps |
|
38 |
===== |
|
39 |
|
|
40 |
#. We are going to use the authentication step as our starting point: |
|
41 |
|
|
42 |
.. code-block:: bash |
|
43 |
|
187104
|
44 |
$ cd ..; cp -r authentication authorization; cd authorization |
d9c4cb
|
45 |
$ $VENV/bin/pip install -e . |
b1b922
|
46 |
|
a5e89f
|
47 |
#. Start by changing ``authorization/tutorial/__init__.py`` to specify a root |
SP |
48 |
factory to the :term:`configurator`: |
b1b922
|
49 |
|
PE |
50 |
.. literalinclude:: authorization/tutorial/__init__.py |
|
51 |
:linenos: |
|
52 |
|
a5e89f
|
53 |
#. That means we need to implement ``authorization/tutorial/resources.py``: |
b1b922
|
54 |
|
PE |
55 |
.. literalinclude:: authorization/tutorial/resources.py |
|
56 |
:linenos: |
|
57 |
|
|
58 |
#. Change ``authorization/tutorial/views.py`` to require the ``edit`` |
|
59 |
permission on the ``hello`` view and implement the forbidden view: |
|
60 |
|
|
61 |
.. literalinclude:: authorization/tutorial/views.py |
|
62 |
:linenos: |
|
63 |
|
|
64 |
#. Run your Pyramid application with: |
|
65 |
|
|
66 |
.. code-block:: bash |
|
67 |
|
187104
|
68 |
$ $VENV/bin/pserve development.ini --reload |
b1b922
|
69 |
|
d749bf
|
70 |
#. Open http://localhost:6543/ in a browser. |
b1b922
|
71 |
|
PE |
72 |
#. If you are still logged in, click the "Log Out" link. |
|
73 |
|
a5e89f
|
74 |
#. Visit http://localhost:6543/howdy in a browser. You should be asked to |
SP |
75 |
login. |
|
76 |
|
b1b922
|
77 |
|
PE |
78 |
Analysis |
|
79 |
======== |
|
80 |
|
|
81 |
This simple tutorial step can be boiled down to the following: |
|
82 |
|
a5e89f
|
83 |
- A view can require a *permission* (``edit``). |
b1b922
|
84 |
|
a5e89f
|
85 |
- The context for our view (the ``Root``) has an access control list (ACL). |
b1b922
|
86 |
|
a5e89f
|
87 |
- This ACL says that the ``edit`` permission is available on ``Root`` to the |
SP |
88 |
``group:editors`` *principal*. |
b1b922
|
89 |
|
a5e89f
|
90 |
- The registered ``groupfinder`` answers whether a particular user (``editor``) |
SP |
91 |
has a particular group (``group:editors``). |
b1b922
|
92 |
|
a5e89f
|
93 |
In summary, ``hello`` wants ``edit`` permission, ``Root`` says |
b1b922
|
94 |
``group:editors`` has ``edit`` permission. |
PE |
95 |
|
a5e89f
|
96 |
Of course, this only applies on ``Root``. Some other part of the site (a.k.a. |
SP |
97 |
*context*) might have a different ACL. |
b1b922
|
98 |
|
a5e89f
|
99 |
If you are not logged in and visit ``/howdy``, you need to get shown the login |
SP |
100 |
screen. How does Pyramid know what is the login page to use? We explicitly told |
|
101 |
Pyramid that the ``login`` view should be used by decorating the view with |
|
102 |
``@forbidden_view_config``. |
b1b922
|
103 |
|
a5e89f
|
104 |
|
SP |
105 |
Extra credit |
b1b922
|
106 |
============ |
PE |
107 |
|
a5e89f
|
108 |
#. Do I have to put a ``renderer`` in my ``@forbidden_view_config`` decorator? |
a51276
|
109 |
|
5fc95b
|
110 |
#. Perhaps you would like the experience of not having enough permissions |
b1b922
|
111 |
(forbidden) to be richer. How could you change this? |
PE |
112 |
|
a5e89f
|
113 |
#. Perhaps we want to store security statements in a database and allow editing |
SP |
114 |
via a browser. How might this be done? |
b1b922
|
115 |
|
a5e89f
|
116 |
#. What if we want different security statements on different kinds of objects? |
SP |
117 |
Or on the same kinds of objects, but in different parts of a URL hierarchy? |